Server Auditing

As the title sounds pretty grave let’s understand what it exactly means. Server Auditing is where you want to know-

• Who is successfully logging into your server and when?
• What are commands the user or process is executing on your server?
• Who is failing to log in to your server and when?
• What are the processes that are running on your server, what are the ports that are being used, at any given time?
• What are the files that are being modified and what are the modifications to the file?
• Is there any new user/group added, is there any modification to the existing user/group.

These are a few essential cases why we audit on the servers to enhance its security.

Why do we need this?
You must have heard about the security breach caused on Facebook servers, which they realized later. These security breaches can be eradicated or defended to a great extent if we continuously audit and monitor our servers.

How do we do this?
Coming to how to implement this, we have two routes –

Open Source(free tools) –
1. Ossec
2. Apache metron
3. Audit Beat by Elastic
4. SIEMonster
Several additional players are as well in the market.

Paid versions –
1. ThreadStack
2. Audit Beat by Elastic
3. Splunk to an extent
4. Nagios 
5. AlienVault OSSIM
Several additional players are as well in the market.

Audit Beat by Elastic, when combined with elasticsearch and Kibana is my personal preference. You have both free and paid flavors for this. I would recommend to use the free version, opt to the paid only if you feel that the free version couldn’t do what you want it to do.

Audit Beat working –

Beats are lightweight shippers. You should install Audit Beats on all the servers, which you want to audit. And this audit beat should be configured to send out the audit logs to Elastic search, which indexes and enriches the data. Later, this can be visualized on Kibana, where you can have dashboards for this.

Server auditing is no more an enrichment, rather it’s a mandatory requirement.